Commercially available information (CAI) plays an increasingly important role in United States intelligence community (IC) objectives, from investigating foreign military activity to uncovering cyber adversaries. CAI, which can include information like public records or online communications, is lawfully accessed and processed by the IC and often provides critical value for mission imperatives.
However, CAI’s growing availability, as well as its potential to contain sensitive personal data, warrant guidance to ensure civil liberties and privacy remain safeguarded in the US. To this end, the Office of the Director of National Intelligence (ODNI) released a Policy Framework for the IC’s use of CAI in May 2024.
While laws like the Privacy Act of 1974 and the Foreign Intelligence Surveillance Act (FISA) have already established privacy and civil liberty protections, the Policy Framework gives intelligence organizations further direction in an environment now dominated by CAI. Of particular concern is how IC elements identify and manage sensitive CAI, a process that can be facilitated by emerging data governance tools.
A closer look at the ODNI’s Policy Framework
The ODNI’s Policy Framework for CAI covers general principles for collecting and processing CAI. Put simply, these principles ensure that intelligence organizations:
- Use CAI in compliance with pre-existing privacy and civil liberties legislation and only in support of a valid mission or administrative need.
- Ensure data provenance, quality, and integrity through official documentation.
- Keep CAI adequately secured and managed using industry standard data governance solutions.
- Maintain public transparency with CAI policies and procedures.
The Framework also offers specific guidance for handling “sensitive CAI,” information that carries a higher risk of undermining privacy and civil liberties. To be considered sensitive, CAI must include a significant amount of personally identifiable information (PII) about US citizens. Any data that links attributes (like race, religion, or gender identity) or activities (like patterns of life or personal affiliations) to one or more US citizens also qualifies as sensitive. Under this definition, a variety of data types, from social media content to census data, are governed by sensitive CAI directives.
When acquired from a commercial entity, CAI must be evaluated for the presence of sensitive information and its associated risks. There are additional requirements for handling sensitive CAI beyond the Framework’s general principles, which include access controls, documentation systems, approval processes, query auditing, and privacy techniques like data redaction and deletion.
“...the increasing availability of CAI and its potential sensitivity call for additional clarity in how the IC will make effective use of such information while ensuring that privacy and civil liberties remain appropriately protected.”
—IC Policy Framework for CAI
What the Framework means for data governance
Much of the Policy Framework guides how intelligence organizations control and share information from a data governance perspective. More specifically, these directives can impact data governance strategies in three main areas: tracking and documenting CAI usage, managing privacy regulations, and staying secure.
Tracking CAI usage
Under the Framework, intelligence organizations need to identify and document how CAI is generated, where it originates, and how it is processed. IC elements must also determine if other intelligence organizations have already accessed the same or similar sensitive CAI and whether uncategorized CAI is shared externally. These requirements can be facilitated by tools that can reliably record data provenance, supporting annual ODNI reporting mandates for any sensitive CAI usage.
Managing privacy regulations
Because many of the Framework’s directives apply specifically to sensitive CAI as defined above, IC elements would benefit from data management tools that can easily identify this information within their datasets. Sensitive CAI can then be redacted, removed, or protected through other privacy-enhancing techniques based on the mission’s scope, requirements, and pending approvals. This allows intelligence professionals to protect personal information and avoid privacy risks while delivering on mission objectives.
Staying secure
In addition to techniques like sensitive data redaction and anonymization, the IC is expected to implement security safeguards to restrict unauthorized access to sensitive information. This includes strict user access controls, such as attribute-based access. IC elements also require auditing strategies to ensure CAI queries align with mission requirements and user access permissions.
Maintaining compliance with federal privacy legislation
While the ODNI’s Policy Framework is specific to CAI, the document encapsulates other privacy legislation and provides guidelines for ensuring broader compliance. Recommendations like data provenance, sensitive CAI identification, privacy-enhancing techniques, and attribute-based access extend to these laws and address the common goal of protecting privacy and civil liberties.
For example, the Foreign Intelligence Surveillance Act (FISA) guides federal agencies in gaining authorization to gather foreign intelligence. The law protects any US person's information incidentally accessed during lawful intelligence operations under FISA—a protection further aided by tools like automated PII identification and redaction. Similarly, such capabilities simplify compliance with the Privacy Act of 1974, which safeguards personal information outside exemptions like census work or authorized criminal investigations.
“The IC’s access to and collection and processing of [CAI] is subject to numerous laws and policies governing intelligence activities, which include those found in the Constitution; statutes such as the Federal Information Security Modernization Act and the Privacy Act of 1974…”
—IC Policy Framework for CAI
Ensure compliance with ORIGIN
Recognizing the urgent operational need for data controls in federal agencies, Intlabs developed ORIGIN—a smart data governance platform that allows users to access, share, and store information safely.
ORIGIN ingests diverse datasets and enables administrators to set content redaction and access rules based on specific policies and legislation. This is ideal for meeting CAI requirements in the ODNI’s Policy Framework, as well as other privacy-related laws. Several ORIGIN features are particularly useful for compliance:
- ORIGIN AI analyzes data against relevant privacy laws and suggests automated rules like content redaction on the basis of those laws. For instance, an IC element could establish a rule that redacts any PII, attributes, or activities linked to US persons identified in a collection of CAI.
- ORIGIN’s data ledger uses non-repudiation principles and blockchain to record activities throughout the information lifecycle securely. This technology supports transparency and documentation directives such as those outlined by the ODNI.
- Object-level access controls and query auditing ensure data is only viewed by authorized users for approved intelligence use cases.
Stay prepared in an evolving regulatory environment
The ODNI’s Policy Framework is an important step in improving transparency, privacy protections, and operational cohesion across the IC as commercially available data usage expands. Its guidance helps ensure intelligence organizations continue gaining value from CAI without compromising on core privacy and civil liberty protections.
ORIGIN is a unique solution in this space, designed to simplify and standardize data security and privacy compliance for public sector organizations. This is key to maintaining trust, avoiding legal risk, and remaining proactive in an increasingly complex and rigorous regulatory environment.